I lease a few servers from 1and1. Up until the beginning of last week, everything was functioning normally.
Starting last week one of my servers started receiving a massive increase in DNS traffic. There were between 100-200 requests per second with logs containing similar information to the following lines:
Feb 17 06:22:37 serv01 named: client xxx.xxx.xxx.xx#60797: query (cache) 'isc.org/ANY/IN' denied
Feb 17 08:23:37 serv01 named: client xx.xx.xxx.xx#53: query (cache) 'ripe.net/ANY/IN' denied
After some research I discovered that during a recent upgrade to Plesk, the DNS recursion settings were changed (by the upgrade script) to Any host! This resulted in my server acting as an open DNS answering all requests. This I changed immediately.
Further investigation identified huge log files and a massive amount of traffic. The traffic all requesting the above information, while spoofing the source ip. Blocking individual addresses required constant monitoring.
In order to reduce the log file size and CPU time, I implemented a set of iptables rules designed to:
- Limit the number of connections to UDP 53
- Match the strings; ripe.net and isc.org (discovered using Wireshark)
I have successfully managed to drop all these requests at the firewall and releasing the strain on my servers' I/O and CPU time, however using iptraf and 'iptables -vnL --line-numbers' the traffic is still continuing with the following statistics after 24 hours:
num pkts bytes target prot opt in out source destination
1 22M 1387M udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW recent: SET name: DNSLF side: source
2 21M 1382M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW recent: UPDATE seconds: 1 hit_count: 6 name: DNSLF side: source
3 82190 5269K udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW recent: SET name: DNSHF side: source
4 4522 289K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW recent: UPDATE seconds: 7 hit_count: 20 name: DNSHF side: source
5 4797K 316M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
1 1927 118K DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|076c796e6c656f6e03636f6d00|" ALGO name bm TO 65535 udp dpt:53
2 2052K 135M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0472697065036e657400|" ALGO name bm TO 65535 udp dpt:53
3 2371K 152M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|00000000000103697363036f726700|" ALGO name bm TO 65535 udp dpt:53
4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|00000000010372697065036e657400|" ALGO name bm TO 65535 udp dpt:53
5 3576K 276M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Although my firewall rules are working, I would prefer to find a more permanent method to block/reject. Anybody have any advice?
My server specs:
AuthenticAMD, AMD Phenom(tm) II X6 1055T Processor (6 CPU)
100Mbps/sec full duplex
Linux 2.6.32-279.5.1.el6.x86_64 #1 SMP Tue Aug 14 23:54:45 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Plesk 11.0.9 (fully up-to-date)
'iptables' and 'ossec-hids'
8 IP addresses
authoritative name server (12 zones)
Thanks in advance,